Re: crypt_r()?

To: Mouse <mouse%Rodents-Montreal.ORG@localhost>
Subject: Re: crypt_r()?
From: Taylor R Campbell <campbell+netbsd-tech-userlevel%mumble.net@localhost>
Date: Wed, 16 Feb 2022 19:16:03 +0000

> Date: Wed, 16 Feb 2022 10:27:08 -0500 (EST)
> From: Mouse <mouse%Rodents-Montreal.ORG@localhost>
> 
> > Thi is an essential hardening step against FPGA/custom ASIC
> > implementations.
> 
> I can't help feeling that there should be better ways to do that.  I
> like the idea of resistance to such things, but, for at least my
> purposes, the ability to check passwords without major resource
> consumption is a routine desire; resistance against an attacker willing
> to invest in custom hardware is not.

Then for your purposes, you can set default parameters in
/etc/passwd.conf that are bounded according to the resources of the
least capable machine in your environment.

But a _program_ that is supposed to work with any /etc/master.passwd
has to be able to handle the parameters set there, so it's not
sensible to ask the caller to preallocate enough storage for any
password hashing computation since there is, a priori, no static upper
bound on how much storage that might be (not to mention it might also
need to spawn threads for parallelism).

References:
- Re: crypt_r()?
  - From: Mouse

Prev by Date: Re: crypt_r()?
Next by Date: Re: crypt_r()?
Previous by Thread: Re: crypt_r()?
Next by Thread: Re: crypt_r()?
Indexes:

Home | Main Index | Thread Index | Old Index